Offering for clients the usage of the best commercial penetration testing tools available on the market (many expensive pentesting tools' licenses are already owned). It previously resulted in winning government contract bids.

Experience consists of 26 years of exposure in computers and networks, 19 years in information security / assurance, 15 years in information system (IS) security auditing, 13 years in project management, 13 years in penetration testing and vulnerability assessment, 13 years in application security, 13 years supporting government clients (DoD/ANGB, DSS, DISA, DHHS/FDA, PSC, DoL/ESA, DoS/CA, DHS/FEMA, TSA, DoED, FHFA, LOC, USAID), and 5 years in supporting commercial companies in telecommunication, financial services and banking industry, including banking applications Information Systems (IS) security audits. Education includes ~40 IT certifications, 100+ courses, a Master Degree in Geography (1990), and a second Master Degree in Information Security (2004).

AFFILIATIONS: ACFEI – member of the American College of Forensic Examiners International (www.acfei.com) CSI – member of the Computer Security Institute (www.gocsi.com) IEEE – member of the Institute of Electrical and Electronics Engineers (www.ieee.org) IIA – member of the Institute of Internal Auditors (www.theiia.org) ISACA – member of the Information Systems Audit and Control Association (www.isaca.org) ISSA – member of the Information Systems Security Association (www.issa.org) NAGC – member of the National Association of Government Contractors (web.governmentcontractors.org) NBISE OST – member of the National Board of Information Security Examiners’ Operational Security Testing Panel (https://www.nbise.org/home/about-us/governance/ostp) NoVaH – member of the Northern Virginia Hackers, DC InfoSec Group (http://novahackers.blogspot.com) OWASP – member of the Open Web Application Security Project (OWASP) Northern Virginia Chapter (https://www.owasp.org/index.php/Virginia) and Washington DC Chapter (https://www.owasp.org/index.php/Washington_DC)

Principal Information Security Engineer

Start Date: 2004-11-01End Date: 2006-09-01

• Performed as a principal information security engineer and an INFOSEC principal subject matter expert to the CA ISSO in a multidisciplinary team environment. • Served as Certification and Accreditation (C&A) certifier for Bureau of Consular Affairs. • Leveraged security consultation expertise and findings to design, and deliver new IT services of customized CA business systems so as to ensure that they exceed DoS security requirements in a cost-effective manner. • Served as lead engineer for NG's CA Risk Management (ST3) and System Security Integration Support (ST6) sub-tasks contract with primary responsibility for all aspects of project planning and management. • Supervised the security engineering team in daily security tasks such as vulnerability assessment and patch discovery, testing, implementation, and monitoring in the entire State Dept. Bureau of Consular Affairs. • Created additional technical positions in his security engineering team, billable to the federal contract. • Performed "hands-on" laboratory analyses, security assessments, penetration testing, document evaluation findings, and provided recommendations to government management, team members, and contractors. • Developed and coordinated related project lifecycle security engineering processes and documentation. • Completed vulnerability assessment analysis of CA's Major Applications and General Support Systems. • Defined information security strategy, briefed CA management and system administrators about the vulnerability assessment reports, presented and prioritized options for risk mitigation. • Completed the vulnerability assessments, penetration testing, IT audit, and risk assessment framework on thousands computers, using a variety of automated tools (BTK, MBSA, Harris STAT, Nessus, and AppDetective) as well as manual review and testing of security configurations that include, but are not limited to Windows 2003/2000/NT Server, Windows XP/2000Pro/NT workstation, IIS 6/5/4, SQL Server 2005/2000/7, and Oracle 8i/9i R2/10g RDBMS. • Advised DoS and CA Patch Management groups to enhance methodology and procedures of implementing Microsoft and other vendors' security patches. • Provided technical services for network security monitoring support focusing on server and workstation security. • Reported weekly to the CA ISSO about vulnerability assessment and mitigation activities. • Reviewed information security controls to help provide effective, efficient and secure access to information within operating systems, databases, and applications. • Worked independently on new business development opportunities and on the scope of prospective engagements, wrote, developed and delivered proposals. • Lead technical efforts to research and evaluate new security-related technologies, security vendor offerings, and integrated any appropriate products aimed at reducing the risk to CA's network environment; it resulted in several new products being added to CA's software baseline that are currently in use. • Analyzed and decomposed government customer needs and requirements to identify appropriate solutions. • Lead analysis and planning for standing up new Harris STAT vulnerability assessment and monitoring security architecture and compliance with the Department's and Bureau's information security policies and procedures. • Analyzed existing network infrastructures and provide recommendations to government managers to ensure secure communication of sensitive data and to reduce threats to the DoS SBU network. • Evaluated DoS Diplomatic Security (DS) Windows and Database Security Configuration guides. • Interfaced with the various customers, government management, and projects stakeholders within Consular Affairs and DoS in order to successfully integrate recommended solutions into the existing infrastructure.

Principal Security Tester / Information Systems (IS) Security Auditor

Start Date: 2006-09-01End Date: 2007-01-01

• Supported the full cycle of the Certification and Accreditation (C&A) process as a principal security tester. • Acted as a principal subject matter expert (SME) and advised on any security-related issue. • Developed and conducted Security Testing and Evaluation (ST&E) plan, which included the identification of system boundaries, the system requirements, test objectives, testing methods, the test scenario, the test procedures, and the expected results. • Reviewed the minimum security checklist with Security Requirements Traceability Matrix (SRTM). • Performed vulnerability assessment scanning, penetration testing, ethical hacking, and PCI audit on hundreds devices according to Rules of Engagement document using a variety of COTS and open source security tools. • Conducted Vulnerability Assessments (VA) and IT audit on various types of networks, systems, applications and OS, such as Windows XP/2000/2003, Sun Solaris 9, Linux Slackware, Cisco IOS 12.x, SQL 2000, Oracle 8i/9i, Apache 1.3, Exchange 2000, and Linksys WAP, using CIS, Harris STAT, Nessus, and WebInspect tools. • Examined output from vulnerability assessments and translated its technical jargon into plain language of concepts and suggested remediation strategies. • Conducted IT Risk Assessments (RA), described risk sources and provided recommended countermeasures to reduce risk to an acceptable and manageable level. • Presented advice and implemented changes in network and host architecture within enterprise. • Worked closely with the system, web, and database administrators to assist them with the security mitigation. • Completed system reviews to ensure group-level policies are in compliance with Security Best Practices. • Assisted with development of the IT security policies and procedures for conducting certifications. • Helped with translation of government directives into client's policy and procedural documentation. • Assisted in designing and implementing security products such as intrusion detection systems (IDS), patch management systems, firewalls, and antivirus using cost effective and quality approach. • Reviewed security plans and procedures concerning all aspects of LAN and WAN. • Supported in development and implementation of a technical audit program. • Developed and presented finding analysis reports to all levels within client's enterprise.

Information Technology Security Analyst

Start Date: 2003-07-01End Date: 2004-11-01

• Served as a senior security consultant, subject matter expert, and lead advisor for agency's executives and ISSOs for developing and managing a project of the new architecture of IT security policies, standards and procedures. • Managed Certification and Accreditation (C&A) and information assurance activities. • Managed information resources in realization of Plan of Action and Milestones (POA&M) tasks, represent General Support Systems (GSS) on IT security issues, consulted other Major Applications (MA) programs' owners and ensured that budget was allocated; priorities and deadlines were met for the Inspector General (IG) auditors and reached the desired level of risk mitigation; de facto took over responsibilities from the retired Information Systems Security Officer (ISSO). • Managed project, initiated, architected, described, and applied new standards of security documentation. • Reviewed, interpreted and developed independently security policies, standards, procedures, guidelines, and best security practices based on government guidelines like: NIST SP 800-26 and 800-18, OMB A-130 App. III, A-11 Exhibits 300, FISMA reports and Federal Information System Controls Audit Manual (FISCAM). • Implement agency-wide strategic security information planning and analysis; updated Security Programs. • Evaluated and advised in developing IT security Certification and Accreditation documentation: Systems Security Plans (SSP), Risk Assessments (RA), Disaster Recovery Plans (DRP), Privacy Impact Assessment (PIA), Security Test and Evaluation (ST&E), and Authority To Operate (ATO) package for General Support Systems (GSS) and Major Applications (MA). • Examined and developed systems security requirements, engineering standards and specifications based on Federal and Agency principles for networks, servers, databases, desktop systems, OSs, IDSs, firewalls, etc. • Advised, recommended, and provided support to government higher management, IT security executives, ISSMs, ISSOs and SMEs for developing, assessing, implementing, and maintaining security good practices. • Supervised security auditing and reviewed the work performed to ensure all audit work is completed in accordance with department policies and the professional standards. • Led security assessment activities based on NIST Special Publications and other government best practices. • Performed and documented risk assessments (RA), conducted and evaluated security information assurance vulnerability assessments (IAVA), and the metrics to measure the risks associated with those vulnerabilities. • Acted as a principal subject matter expert (SME) in identifying and solving IT security problems, recommended proper IT security architecture solutions, and implemented security policies to ensure compliance. • Supervised engineers to prepare maintenance plans and procedures to validate security requirements. • Researched independently government and departmental security documents. • Presented (in written and oral form) reports to government executives and managers adequate IT security strategy recommendations, alternatives, measures and solutions. • Evaluated and updated security awareness training and educations program.

Principal Security Subject Matter Expert / Penetration Tester

Start Date: 2007-11-01End Date: 2008-02-01

• Developed and executed Security Test and Evaluation (ST&E) and Information Security Assessment Plan as part of the Certification and Accreditation (C&A) process. • Developed and implemented vulnerability scanning and penetration testing plans and procedures. • Evaluated, tested, and implemented scanning and penetration testing tools: QualysGuard and CORE Impact. • Lead and mentored a team of security testers performing penetration testing and vulnerability assessments. • Developed security hardening and mitigation strategies according to Department's Security Guidelines.